0

I am working with a certificate chain with 3 certificates :

  • ca.crt : Root CA certificate
  • intermediate.crt : intermediate CA certificate (signed by ca.crt)
  • cert.crt : the final certificate

I first try to verify with: openssl verify -CAfile ca.crt -untrusted intermediate.crt cert.crt

I get as result cert.crt: OK

So it's all fine.

But if I create a certificate chain with cat cert.crt intermediate.crt > cert.chain

And then I verify with openssl verify -CAfile ca.crt cert.chain

The result is error 20 at 0 depth lookup:unable to get local issuer certificate

And the cert.chain file is also rejected by a server for the exact same reason.

I don't understand where is the problem.

Robert Masse
  • 11
  • 1
  • 2
  • 1
    This is not a programming question or problem, and is dupe https://stackoverflow.com/questions/44375300 and https://stackoverflow.com/questions/29436967 (both flagged offtopic) and crossdupe at least https://security.stackexchange.com/questions/223884 https://security.stackexchange.com/questions/163577 https://security.stackexchange.com/questions/203451 https://unix.stackexchange.com/questions/354195 . `openssl verify ... file` reads only ONE cert from file, NOT A CHAIN. ... – dave_thompson_085 Dec 08 '20 at 18:53
  • ... I don't know what you mean by a server 'reject[ing]' a file; servers usually don't validate their own cert(s), and should accept a valid chain sent by a client (whether or not from a file) unless you did something wrong, which might possibly be related to programming depending on what you actually did. – dave_thompson_085 Dec 08 '20 at 18:53

3 Answers3

3

I first try to verify with: openssl verify -CAfile ca.crt -untrusted intermediate.crt cert.crt

This will take the first certificate out of cert.crt and try to build the trust chain using the given untrusted CA certificates in intermediate.crt up to some root CA certificate in ca.crt.

And then I verify with openssl verify -CAfile ca.crt cert.chain

This will also take the first certificate out of cert.chain. It will ignore remaining certificates in this file. It will then try to build the trust chain to some root CA certificate in ca.crt without using any intermediate CA certificates since none are given. It will thus fail.

And the cert.chain file is also rejected by a server for the exact same reason.

It is unknown what exactly happens here. If it is "rejected by a server" then you likely talk about validating a client certificate by the server. It might simply be that the client application does not send the whole chain to the server but only the first certificate from the file. None is known about this client application though, so this is only speculation.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
1

Thanks to all. Yes, the correct way to verify a chain is with using the "untrusted" parameter of openssl verify to specify the intermediate certificate.

The connection to server was tried with openssl s_client and specifying the certificate chain in the "cert" parameter but it fails. Using a recent openssl version (1.1.0 or newer), it is now possible to add the "cert_chain" parameter to specify the intermediate certificate to use.

Robert Masse
  • 11
  • 1
  • 2
0

Hello you error just related in the fact that you chain is not build correctly. Normally your verify with untrusted shall not work, that why you're confusing.The correct sequence is below. I invite you to regenerate and recreate your chain.

openssl verify -CAfile ca.crt -untrusted cert.crt intermediate

This will start at the end, (Root > intermediate > cert)

So that, your chain shall be build as following :

cat intermediate.crt cert.crt > chain.crt

Then it shall work.

Youssou Ndiaye
  • 21
  • 1
  • 4